A row of glowing green and blue message bubbles on a dark phone screen, the kind of overlay that turns a contact list into a privacy decision
Photo via Unsplash

Today in Surveillance:

  • India's MeitY told WhatsApp to halt its new username feature and respond within three days. The Ministry of Electronics and IT cited phishing, digital-arrest scams, and impersonation of public authorities, financial institutions, and government departments, invoking the IT Act 2000 and the 2021 Intermediary Rules. WhatsApp opened username reservations on June 29 and has roughly 850 million users in India [1].
  • EFF's Paige Collings published a "How Can I Wipe Online Data That Points To My Queer Identity?" guide. The July 2 piece walks through Privacy Badger, removing advertising IDs, Google's "Results about you," California's DROP tool, and paid services EasyOptOuts and Optery, plus an audit-your-footprint step list [2].
  • EFF's Collings and Erica Portnoy laid out the four UK age-verification pathways. A June 30 Q&A walks through facial age estimation, photo-ID matching, open banking, and email-based age estimation, with a Discord data breach cited as the cautionary case for ID-image retention [3].
  • 404 Media covered a PLOS One study in which AI impersonations of 112 UK public figures out-rated the humans. Becky Ferreira's July 1 piece reports that 948 UK participants rated AI-generated answers to Question Time prompts as more authentic, coherent, and relevant than the original debate responses [4].
  • EFF asked Governor Pritzker to veto Illinois HB 5511. Hayley Tsukayama's June 29 piece calls the device-level age-gating bill a "massive privacy and free speech nightmare" modeled on California's AB 1043 and New York's SAFE for Kids Act [5].
  • EFF called on lawmakers to act before armed police drones deploy at scale. Matthew Guariglia's June 26 piece points at Skydio relaxing weapons policies and at Campus Guardian Angel pilot programs in Georgia and Florida for fall 2026, with the San Francisco 2022 policy cited as insufficient because it excludes less-lethal measures [6].
  • Other news today: EFF's Alexis Hancock followed up the BADBOX story with a call for Amazon and Walmart to stop selling compromised Android devices, citing Google's figure that one major campaign affected 10 million uncertified devices [7].

India Tells WhatsApp to Halt Its Username Feature. The Reason Is Phishing, Not Privacy.

India's Ministry of Electronics and IT (MeitY) sent WhatsApp a letter dated July 1 ordering the company to halt a new username feature and respond within three days, according to a July 2 report by The Register's Connor Jones. The feature, which opened reservations on June 29 and is rolling out through the rest of 2026, lets users message without exposing a phone number. The Register reports the order invokes the Information Technology Act 2000 and the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules 2021 [1].

The ministry's stated reason is cybercrime, not privacy. The letter cites phishing, digital-arrest scams, and the impersonation of public authorities, financial institutions, and government departments. WhatsApp described its mitigations to The Register: reserving high-profile usernames, blocking lookalike derivatives, requiring the exact username for first contact, preventing username reuse across Facebook and Instagram by other accounts, and limiting how many new people an account can contact. The company also said other users need to know the exact username to message you, and it will block repeated attempts to guess someone's username key [1].

The Internet Freedom Foundation (IFF), which shared the letter, called it "regulatory overreach" with no clear legal basis, per The Register's reporting. IFF framed the order as "the latest example of attempted regulatory overreach," drawing the parallel to MeitY's March 2024 advisory seeking pre-launch approval of AI models (withdrawn within a fortnight) and the ministry's June 2026 temporary Telegram block ahead of the NEET-UG medical exam. MeitY did not respond to The Register's request for comment [1].

The user base is the reason this story is structural rather than regional. The Register describes India as WhatsApp's "largest market," with roughly 850 million Indian accounts inside a global base of more than 3 billion users. A pre-launch approval regime that can hold up a feature for three days at a time, repeatedly, on the largest market in the world, is a regulatory choke point that does not require product bans to operate. Our WhatsApp-encryption-lawsuit thread tracks the same producer-side identity question in US courts; the India order is the producer-side privacy question [1][8].

EFF's Queer Identity Wipe Guide, Step by Step

EFF's Paige Collings published "LGBT Q&A: How Can I Wipe Online Data That Points To My Queer Identity?" on July 2, 2026, the opening piece in EFF's Pride "LGBT Q&A" initiative season two. The article targets the specific case of information "that could point to my queer identity" and treats it as the threat model that drives the cleanup [2].

The article is a step list. Establish a strong security baseline with unique passwords and two-factor authentication. Install Privacy Badger, which the article calls an "install-and-forget tracker blocking tool" that stops trackers from compiling information for advertising and data brokers. Remove your advertising ID on Android and iPhone. Ask data brokers to delete personal data, either DIY, through California's Privacy Protection Agency deletion tool at privacy.ca.gov/drop/, or through paid services EasyOptOuts or Optery. Use Google's "Results about you" page to receive notifications when new types of information appear in Google Search (Collings flags that this "will not remove the information from the internet, it just won't show up in Google's search"). Then audit your digital footprint: list every social media and forum account, review public content (name, contact info, pictures that show home or workplace), and review account settings and login credentials [2].

The article closes with a search-method recommendation worth quoting in full: use a private browsing window or separate browser, logged out of accounts like Google, and search your name, nickname, handle, avatar, address, phone number, and email addresses. The two framing lines from the article do most of the editorial work: "You cannot protect everything all the time, but there are ways to wipe information about yourself online," and "The best time to take steps to protect yourself is before anything bad happens" [2]. Our age-verification-as-infrastructure tracker covers the cumulative identity-cache argument the wipe guide is responding to [9].

EFF Maps the Four UK Age-Verification Pathways, and What Each One Keeps

EFF's Paige Collings and Erica Portnoy published "LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?" on June 30, 2026. The piece is the structural companion to the wipe guide: same threat model, but the question is what each pathway on the UK side actually retains about the user being verified [3].

The four pathways, as the article lays them out: facial age estimation (photo or video analyzed by providers like Yoti or Persona; Yoti claims the image is "immediately and permanently deleted" after estimation; some services such as k-ID and Private ID process on-device); photo-ID matching (ID documents such as driving license or passport compared to a selfie via third parties like Yoti or Incode; Incode does not automatically delete data post-process; TikTok claims it initiates deletion when reached through TikTok); open banking (the bank confirms over-18 status without sharing the user's full date of birth, with credit-card checks running through payment processors); and email verification (a third party estimates age based on the email's prior use across services, aggregating some data in the process). The piece cites a Discord data breach in which ID images were exposed as the cautionary case for photo-ID retention [3].

The LGBTQ+ angle runs through the same line EFF has used all season: the data "can be used by employers, governments, family members, scammers, or bad actors to inflict harassment, discrimination, arrest, or violence," and "broad restrictions on social media will inevitably limit access to lawful speech, and valuable online communities, and arts and culture." Read against the day, the wipe guide and the UK Q&A are the same response on two sides of the same pipeline: what to scrub on the way out, and what not to hand over on the way in [2][3].

404 Media: UK Participants Rated AI Impersonations of 112 Public Figures More Authentic Than the Humans

404 Media's Becky Ferreira reported on July 1, 2026 that a PLOS One study (Herbold et al.) had UK participants rate AI-generated impersonations of 112 UK public figures against the real humans, and the AI won on authenticity. The public figures were drawn from BBC One's Question Time, and the 948 participants rated AI-generated answers to debate prompts as more authentic, coherent, and relevant than the original debate responses [4].

The study design is the news. The setting was Question Time, which Ferreira describes as "one of the biggest shows in the UK." The participants were rating real-thing-versus-AI on the same prompt. The lead author told 404 Media that coherence being rated higher than authenticity was expected "because the setting was a bit unfair," but the authenticity gap is the result that surprised the team. Two researcher quotes carry the editorial weight: there is "a dire need to inform the general public of the potential harm this can have on society," and "We were wondering what happens if we just ask them to be [a specific] person, and then more importantly, do people believe that?" Ferreira's framing: "We had a lot of people say: 'Wow, I never believed this was AI'" [4].

The electoral connection is structural, not speculative. The 2026 UK cycle already sits on top of the deepfake-evidence fight; the 2026 US midterms face the same load with less enforcement behind it. Our AI-deepfake-2026-midterm state-laws thread and the Hany Farid deepfake-detection profile carry the through-line [10][11].

EFF Asks Pritzker to Veto Illinois HB 5511

EFF's Hayley Tsukayama published "EFF to Gov. Pritzker: Veto Illinois' HB 5511" on June 29, 2026. The piece calls the bill a "sweeping, device-level age-gating framework across nearly all internet-enabled hardware, operating systems, and online services," forcing digital platforms to "collect and share users' ages to platforms and websites" and stripping "basic, everyday features like personalized content feeds and overnight notifications for young people" unless they secure "verifiable parental consent" [5].

EFF's framing is the same one Tsukayama and the rest of the EFF age-verification beat have run for the season. The bill is a "massive privacy and free speech nightmare" that will "effectively dismantle online anonymity, jeopardize data security, and severely restrict access to constitutionally protected speech for young people and adults alike." The piece calls the bill "an existential threat to the open-source ecosystem that underpins the modern internet" and "premature, economically risky, and legally wasteful," pointing at California's AB 1043 (Digital Age Assurance Act) and New York's SAFE for Kids Act as the models it copies before either takes effect. EFF's specific warnings: the bill will harm young people relying on the internet for information and community and cut off "vital lifelines for vulnerable youth in non-traditional families" [5].

The veto window is the news peg. EFF links the Illinois General Assembly status page for HB 5511 as the live tracker; Governor Pritzker's decision will reshape the cumulative state-level age-verification map the same week the wipe guide and the UK Q&A are surfacing. The Doctorow op-ed thread carries the editorial case for why age verification is identity infrastructure [5][12].

EFF: Lawmakers Must Act Now Before Armed Police Drones

EFF's Matthew Guariglia published "Lawmakers Must Act Now to Prevent Armed Police Drones" on June 26, 2026. The piece is a federal-legislation push anchored to a vendor-policy shift: Skydio CEO Adam Bry said on a podcast that the company "got some things wrong" regarding past restrictions on military arming of their drones, and called it "misguided" to write policies banning customers from weaponizing devices. The article reads the shift as Skydio signaling it "will not implement restrictions on their customers' use of their devices," against a backdrop where Skydio "holds a huge amount of police contracts" and supplies fleets for Drone as First Responder (DFR) programs [6].

The school drone pilots are the second anchor. Campus Guardian Angel will run pilot programs in five Georgia high schools and in Florida in fall 2026. The drones are described as designed to "swarm, distract, crash into, and even shoot irritants at potential school shooters." The earlier precedent is Axon pausing development of taser-armed drones after public backlash. EFF argues current rules depend on "the internal ethical commitments of companies" rather than law, and points at San Francisco's 2022 policy banning deadly force via robots as insufficient because it excludes less-lethal measures like tasers, pepper spray, rubber bullets, and kinetic strikes. The piece urges lawmakers to act; no federal bill is named [6].

Read against the rest of the police-tech coverage, the Skydio shift lands in the same week the Waikiki drone rollout and the Denver DFR fleet deployment have moved from pilot to deployment. Our police-drone-1500-agencies thread carries the cumulative adoption story [6][13][14][15].

What to Watch This Week

Friday July 3 to Monday July 6. The India-WhatsApp three-day clock starts from the July 1 letter. Watch whether MeitY receives a substantive response from WhatsApp, and whether the username rollout halts as ordered. The IFF framing is the legal-basis question: the order "names one company, sets a three-day clock, and bars the launch until MeitY is satisfied." Watch whether Meta mounts a public response or files any procedural challenge [1].

Illinois HB 5511 veto window. EFF's veto letter to Governor Pritzker is the campaign's anchor. The veto or signature decision will reshape the cumulative state-level age-verification map, with AB 1043 and the SAFE for Kids Act as the comparators and the wipe guide and UK Q&A as the explanatory pipeline [5][2][3].

Fall 2026 drone pilots. Campus Guardian Angel runs in five Georgia high schools and in Florida starting in fall 2026. The Skydio weapons-policy shift is the vendor-side enabler. Watch whether any state or federal bill advances to set the rules EFF is asking for, before deployment [6].

The PLOS One authenticity result. The 112-public-figure study lands inside the 2026 UK election cycle and the 2026 US midterm preparation. Watch whether any UK or US regulator cites the finding as evidence in a deepfake-evidence or impersonation rulemaking, and whether Herbold et al. publish the per-question results table [4].

Sources

  1. The Register, Connor Jones: India gives WhatsApp three days to defend username rollout amid security fears, July 2, 2026. https://www.theregister.com/security/2026/07/02/india-writes-to-whatsapp-over-usernames-security-concerns/5265744
  2. EFF Deeplinks, Paige Collings: LGBT Q&A: How Can I Wipe Online Data That Points To My Queer Identity?, July 2, 2026. https://www.eff.org/deeplinks/2026/07/lgbt-qa-how-can-i-wipe-online-data-points-my-queer-identity
  3. EFF Deeplinks, Paige Collings and Erica Portnoy: LGBT Q&A: What Data Are Companies in the UK Collecting When Verifying My Age?, June 30, 2026. https://www.eff.org/deeplinks/2026/06/lgbt-qa-what-data-are-companies-uk-collecting-when-verifying-my-age
  4. 404 Media, Becky Ferreira: Scientists Asked AI to Impersonate 112 Public Figures. What Happened Next Is a 'Dire' Warning, July 1, 2026. https://www.404media.co/untitled-28/
  5. EFF Deeplinks, Hayley Tsukayama: EFF to Gov. Pritzker: Veto Illinois' HB 5511, June 29, 2026. https://www.eff.org/deeplinks/2026/06/eff-gov-pritzker-veto-illinois-hb-5511
  6. EFF Deeplinks, Matthew Guariglia: Lawmakers Must Act Now to Prevent Armed Police Drones, June 26, 2026. https://www.eff.org/deeplinks/2026/06/lawmakers-must-act-now-prevent-armed-police-drones
  7. EFF Deeplinks, Alexis Hancock: Primed for Malware: Stop Selling Compromised Android Devices, June 25, 2026. https://www.eff.org/deeplinks/2026/06/primed-malware-stop-selling-compromised-android-devices
  8. State of Surveillance: WhatsApp Encryption Lawsuit Meta Investigation, the SoS thread on the producer-side identity question in US courts. /news/whatsapp-encryption-lawsuit-meta-investigation-2026
  9. State of Surveillance: Age Verification Surveillance Infrastructure ID System, the structural brief on the identity-cache argument. /news/age-verification-surveillance-infrastructure-id-system-2026
  10. State of Surveillance: AI Deepfakes 2026 Midterm Elections State Laws, the cumulative deepfake-rules tracker. /news/ai-deepfakes-2026-midterm-elections-state-laws
  11. State of Surveillance: Hany Farid Deepfake Detection Lost Race NYT Profile, the detection-side brief. /news/hany-farid-deepfake-detection-lost-race-nyt-profile-2026
  12. State of Surveillance: Cory Doctorow Age Verification Is Mass Surveillance, the editorial through-line on identity-as-infrastructure. /news/cory-doctorow-age-verification-is-mass-surveillance-2026
  13. State of Surveillance: Waikiki Police Drones Skydio Surveillance Hawaii, the Waikiki drone-rollout vessel. /news/waikiki-police-drones-skydio-surveillance-hawaii-2026
  14. State of Surveillance: Denver Police Drones Flock Skydio Surveillance, the Denver DFR vessel. /news/denver-police-drones-flock-skydio-surveillance-2026
  15. State of Surveillance: Police Drone Surveillance 1500 Agencies Facial Recognition, the cumulative adoption brief. /news/police-drone-surveillance-1500-agencies-facial-recognition-no-oversight-2026